Exclusive: Anatomy Of A Brokerage IT Meltdown

Regulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.

Regulatory Sanctions

GunnAllen's IT failures paralleled larger business problems. Formerly known as Napex Financial Corp., GunnAllen was founded in 1996 by Donald Gunn and Richard "Allen" Frueh. GunnAllen provided a place for brokers and dealers, who must be associated with a FINRA member firm in order to trade, to hang their shingle. But by 2008, senior members of the firm had come under fire for not properly vetting those brokers or monitoring what they were doing in the name of GunnAllen.

Notably, 2008 was when FINRA fined GunnAllen $750,000 for a "trade allocation scheme" conducted by former head trader Alexis J. Rivera. "In 2002 and 2003, the firm, acting through Rivera, engaged in a 'cherry picking' scheme in which Rivera allocated profitable stock trades to his wife's personal account instead of to the accounts of firm customers," according to FINRA. "Rivera garnered improper profits of more than $270,000 through this misconduct, which violated the anti-fraud provisions of the federal securities laws and FINRA rules. Rivera was barred in December 2006."

FINRA accused GunnAllen's investment division of doing business with companies, then failing to inform the broker-dealer's own compliance department that those companies should be placed on a restricted or watch list for investments, as is required by the agency. FINRA also said the brokerage failed to safeguard non-public information in its investment division, meaning that other employees could have profited from insider information. Finally, FINRA accused GunnAllen of "failing to preserve emails and instant messages."

A lack of top-down oversight of Michigan-based GunnAllen broker Frank Bluestein ultimately led to the firm's demise. Bluestein resold investments on behalf of Ed May, who FINRA said "created and marketed unregistered investments" to an estimated 1,500 investors under the company he ran, E-M Management Co., LLC. In 2007, the SEC charged May with fraud, for allegedy running a Ponzi scheme focused on a fictitious Las Vegas casino and fake telecommunications equipment and leasing deals that took in more than $250 million before being discovered and stopped.

In 2009, the SEC also charged Bluestein with fraud. According to the SEC complaint, from 2002 to 2007 Bluestein ran seminars that "lured elderly investors into refinancing the mortgages on their homes," ultimately recruiting about 800 investors and securing $74 million in investments.

In April 2011, May plead guilty to 59 counts of mail fraud, received a 16-year prison sentence, and was ordered to pay a $250,000 fine. Bluestein, however, denied all knowledge of the Ponzi scheme, citing in his defense that he'd personally purchased the investments being sold by May.

Regardless, GunnAllen faced a volley of investor lawsuits after the SEC's 2009 allegations. By March 2010, FINRA found that GunnAllen no longer had sufficient net capital to trade and closed the firm, leading to the layoff of 400 employees. By November 2010, GunnAllen had been liquidated.

First-Ever Standalone SEC Privacy Fine

Although GunnAllen went bankrupt, regulators weren't done with it. The SEC in 2011 accused two former employees--president Frederick O. Kraus and national sales manager David C. Levine--of having inappropriately used GunnAllen customer data, and it fined them each $20,000.
The SEC also slammed GunnAllen's former chief compliance officer, Mark A. Ellis, for having failed to put in place or enforce proper policies and procedures for protecting customer information. It fined Ellis $15,000. The agency noted that the broker-dealer's written policies were "vague" and turned out to be little more than a rewording of the actual SEC regulations.

As for the alleged security breaches related to InformationWeek by the former Revere Group employees, a 2010 SEC enforcement action against former GunnAllen executives detailed multiple security incidents, but not the full extent of the breaches alleged by the former employees, which included at least one missing laptop containing financial information. Likewise, the home router incident didn't even come to light until 2009, one year after FINRA fined GunnAllen.

New SEC Violations Emerge

In June 2011, Sago detailed the additional security violations in a six-page letter to the SEC's Miami office, which had conducted the GunnAllen investigation. The agency's associate director of enforcement in Miami, who was in charge of the investigation, didn't respond to multiple calls and emails seeking comment on Sago's allegations, whether the investigation was still open, or whether the additional revelations might lead to any new fines or sanctions against current or former employees of GunnAllen or The Revere Group. A spokeswoman for the SEC, reached by phone, declined to comment on any of those questions.

You're misrepresenting the story, queuester. The story doesn't "tie the demise of GunnAllen to the actions of Revere." In the very first paragraph, the story states that GunnAllen's "IT problems were only a symptom of widespread mismanagement and deeper misconduct at the firm." The facts laid out in the story support that thesis.

This article at best was a one sided and inaccurate accounting of the IT staff that worked for the company after Revere was shown the door.Trying to tie the demise of GunnAllen to the actions of Revere is the same as trying to tie mother's milk to heroin addiction. There is no doubt that Revere was a drag on GunnAllen and did nothing in the interest of their client. That changed when GAF appointed their own CTO who subsequently rid the company of this incompetent and self serving consultancy. To place so much weight on the quotes of Revere help desk manager whose greatest contribution was writing poems about eating donuts doesn't really seem to be great investigative journalism. I was there as an employee of GAF during the time and worked for the CTO who was a very competent technologist as were many of the people who were kept on. I was also there as we were forced to decommission all of the systems at the behest of FINRA who also displayed an amazing amount of indifference and incompetency during the process. GAF is shut down for a cash reserve deficiency of $100k while the SEC and FINRA allowed MF Global and John Corzine to "misplace" $1.2 billion of investor money. They (the SEC and FINRA) were only successful at dragging the name of one of the only ethical members of the executive management team throught the mud. Maybe a little more research might help next time as the only parties that really were hurt were the customers and that was done by FINRA not the company.

Reads like a company I had experience with and yes, it was a calculated plan on the part of the IT "engineer". Maybe more akin to the doctor/nurse who causes a patient's ills to be seen as the hero for relieving them or a fireman who starts fires to put them out. In the case I was familiar with, the engineer calculated that management would look favorably on him for saving them and unfavorably on anyone who would attack him as being jealous of his expertise rather than invest to independently investigate and perhaps uncover his intentional staging of the cases. He was right. The company fired two of his superiors for harassing the engineer who had "saved" the company. Recognizing that RevereGroup and GunnAllen are not islands in this respect, there are still more than a few questions surrounding the validity of Sago's accusations (he did work there for what looks to be an extended period before being let go at the height of the 2008 financial crisis). A little vendictiveness? Some of these IT informants seem to share a little responsibility themselves if nothing else for complacency (why didn't DiMarzio take care of RG personnel problems internally without relating full details to GunnAllen?).

The words that come to mind are Malicious, incompetent and hubris. I can understand not liking your job. I can understand having a bad day. But by the great FSM! I have never read about a company that seems so eager to destroy itself. Not even when MCI was around, did I ever see such cavalier disregard for both customer data.

I worked at GunnAllen in the IT dept for 13 months - 2004/2005 - and one of the "urban legends" from prior to 2004 was that a senior IT programmer was fired for running a porn site on unused space on the web servers. I don't know the truth about this, but it was interesting to hear. I was "downsized" after making the GunnAllen CIO and staff unhappy during the planning of the national convention - no big loss for me, in hindsight!

It almost reminds me of the type of behavior seen in arsonists. It's as if the guy enjoys "starting fires", in the IT sense. Also seems like passive-aggressive behavior... but more aggressive than passive. Like he "forgot" to change the settings back.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.